Corporate directors are spending more time discussing cybersecurity issues in the boardroom and more money to mitigate cyber risks than a year ago, but they are still reluctant to go public with information about attacks, according to a survey by BDO USA.
Almost three quarters (74%) of 160 public-company directors said their boards are now more involved with cybersecurity than they were last year (see chart), and 80% have expanded their cybersecurity budget, by an average of 22%.
“Corporate directors are being briefed more often and are responding with increased budgets to address this critical area,” says Shahryar Shaghaghi, BDO’s national leader of technology services.
The surge in board participation is likely caused by increases in cyber-attack activity. More than one in five directors (22%) reported that the companies they oversaw experienced an attack in the past two years (22%), which was double the percentage reported (11%) in BDO’s 2013 survey.
While boards are becoming more cognizant of cyber risk, they are still shying away from sharing critical information externally after an attack. Only 27% of directors say they do so, even though “sharing information gleaned from cyber-attacks is a key to defeating hackers,” says Shaghaghi.
Indeed, in July the White House issued Presidential Policy Directive 41, outlining a structure for companies to report cyber attacks to government agencies that can help track such attacks and coordinate response.
Cyber insurance plans are also on the rise. Twenty-eight percent of board members say they have purchased cyber-insurance in the past year, which was consistent with 2015 but 18 percentage points ahead of 2014.
In addition to cyber insurance plans, cyber-breach response plans are also increasing with almost two thirds of directors (63%) saying a plan is now in place, up from 45% in 2015.
But despite the improved attention to cyber risk, the corporate community has a long way to go, even beyond the reticence to share information. “The survey reveals significant vulnerabilities,” says Shaghaghi. “Although measurable progress has been made from a year ago, less than half of board members report they have both identified and developed solutions to protect their critical digital assets, and an even smaller proportion indicate they have put cyber-risk requirements in place for third-party vendors — a major source of cyber attacks.
Participants in the BDO USA Board Survey were directors of public companies with revenues ranging from $250 million to $1 billion. The survey was conducted in September 2016.